corrective updates of the stable branches of the DNS server , as well as the experimental branch 9.15.2, which is under development. Newer releases resolve a race condition vulnerability (CVE-2019-6471) that could lead to a denial of service (terminating a process when an assert is triggered) when blocking a large number of incoming packets.
In addition, the new version 9.14.4 adds support for the GeoIP2 API to connect the location database by IP addresses from the company
MaxMind (enabled via build with "--with-geoip2" option). Some ACLs (such as network speed, organization, and country code) that were previously supported for the old GeoIP API, which is no longer maintained by MaxMind, have been deprecated for GeoIP2. Also added new metrics dnssec-sign and dnssec-refresh with counters for the number of generated and updated DNSSEC signatures.
Additionally, it can be noted DNS server Knot 2.8.3, which added a certificate/key configuration file for TLS to kdig, increased the information content of log entries for offline-KSK signatures and the RRL module, expanded DNSSEC configuration checks.
Also, the Knot Resolver 4.1.0 update was released, which eliminated (CVE-2019-10190, CVE-2019-10191): Ability to bypass DNSSEC validation for missing name queries (NXDOMAIN) and the ability to roll back a DNSSEC-protected domain to an insecure DNSSEC state via packet spoofing.
Source: opennet.ru